-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN New Variants of Trinity and Stacheldraht DDoS September 29, 2000 1:00 GMT Number K-072 ______________________________________________________________________________ PROBLEM: New variants of the trinity and stacheldraht distributed denial of service tools have been discovered. PLATFORM: All platforms with network connections. DAMAGE: The clients of these tools are used to flood networks with packets causing a denial of service. SOLUTION: Router configurations designed to block packets from the original tools (see: http://www.ciac.org/ciac/bulletins/ k-032.shtml) should still work on these variants. These configurations block packets that appear on a network where they should not have been produced. These configurations can only prevent machines on a subnet from attacking a machine somewhere else, they cannot protect a machine from being attacked. Be aware of the new capabilities of these tools and their methods of hiding on a system. ______________________________________________________________________________ VULNERABILITY The vulnerability is Low - Current configurations (see: ASSESSMENT: http://www.ciac.org/ciac/bulletins/k-032.shtml) should still protect against being used to attack other systems. Systems can do little to protect themselves from being attacked. ______________________________________________________________________________ - - -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert September 25, 2000 New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools Synopsis: New versions of Stacheldraht and Trinity distributed denial of service (DDoS) attack tools have been found in the wild. The new versions of Stacheldraht include "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps". A variant of the Trinity tool called "entitee" has also been reported. Impact: Distributed Denial of Service attacks can bring down a network by flooding target machines with large amounts of traffic. In February of this year, several of the Internet's largest Web sites, including Yahoo, Amazon.com, eBay, and Buy.com were disrupted for extended periods of time by DDoS tools. These new tools were detected in corporate networks, as well as in personal computers with high speed network connections. The prevalence of high speed DSL and cable modem service magnifies these tools' potential effectiveness. Description: For an overview of the original Stacheldraht program, refer to the X-Force Alert, "Denial of Service Attack using the TFN2K and Stacheldraht programs", at: http://xforce.iss.net/alerts/advise43.php. For more information, Dave Dittrich wrote a detailed analysis, which can be found at: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt. In the newer version of the Stacheldraht program, there are several new commands. The following is complete list of commands in this new version: .mtimer .mudp .micmp .msyn .mack .mnul .mstream .mhavoc .mrandom .mip .mfdns .msort .showalive .madd .mlist .msadd .msrem .help .setusize .setisize .mdie .sprange .mstop .killall .showdead .forceit .left .enter The following commands have been added since the first versions of Stacheldraht: .mack Sends a TCP ACK flood. .mnul Send a NULL flood, which is like a TCP SYN flood, but with TCP flags set to 0. .mstream Send a stream attack flood. (see http://xforce.iss.net/alerts/advise48.php) .mhavoc Send a "HAVOC" flood. This sends mixed ICMP, UDP, SYN, TCP random flags and IP headers simultaneously. .mrandom Sends a flood of packets with random TCP headers. .mip Sends a flood of regular IP headers. .mfdns Sets the source port for floods to port 53. .msadd Add a master server to the list of master servers. .forceit This will cause a .mstop command to stop all agents from flooding, even if they are not flooding. .left Tells you how much time is left before an agent stops flooding. IRC flooding commands: .enter Enter the IRC flooding interface. .part Part a channel. .join Join a channel. .msg Send a message flood. In this version, the user is prompted for a password when building the binaries. There is no default password; however, there are some default values used. When running, the agent "td" uses the process name "(kswapd)". When it spawns child processes, they are named "httpd". The master server "mserv" uses the process name "(httpd)". When the master server is communicating with the agent, ICMP packets are used. Each command is identified by the ICMP ID header field. In the version obtained by the X-Force, the values are as follows: For the network flooding commands and replies: 699 Add an IP address to the list of addresses to be flooded 6666 Send IP header flood 7778 Send Stream attack 9000 Add new master server to the Stacheldraht network 9000 Spoof test reply 9001 Remove master server 9002 Distribute new versions of the agent 9003 Shutdown agent 9004 Set the amount of time to flood 9005 Set the ICMP packet size for ICMP-based floods 9006 Set the UDP packet size for UDP-based floods 9007 Set the port range for SYN floods 9012 Start a UDP flood 9013 Start a SYN flood 9014 Set the port for SYN floods 9015 Stop flooding 9016 Change spoofing mode 9017 Replies from the client 9028 Send Smurf attack 9055 Send ICMP flood 9113 Start an ACK flood 9213 Start a NULL flood 9668 Spoof test 9934 Send Havoc flood 9935 Send random TCP header flood 9936 Send DNS packet flood For the IRC flooding commands: 1 Join IRC 4 Part Channel 5 Join Channel 6 Message Flood For an overview of the Trinity DDoS tool, refer to the X-Force Alert, "Trinity v3 Distributed Denial of Service tool", at: http://xforce.iss.net/alerts/advise59.php. At least 8 different versions of Trinity have been found on the Undernet Internet Relay Chat (IRC) network by the Undernet operators, each using different a IRC channel. On September 17, 2000, "Rod R00T" reported a new variant of Trinity, called "entitee", to the INCIDENTS mailing list at SecurityFocus.com. It is functionally equivalent to Trinity v3, but it uses different channels, keys, and password. Trinity v3 responds to commands in the channel with a line beginning with "(trinity)", while entitee responds with lines beginning with "(entitee)". Recommendations: The Stacheldraht and Trinity signatures in the ISS RealSecure intrustion detection software are being updated to detect these new tools. To find a Stacheldraht agent on your computer, use the lsof command: [root@unix /root]# lsof | grep raw td 1217 root 3u raw 2083 00000000:0001->00000000:0000 st=07 [root@unix /root]# lsof -p 1217 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME td 1217 root cwd DIR 8,1 4096 497157 /root/stach+antigl/client td 1217 root rtd DIR 8,1 4096 2 / td 1217 root txt REG 8,1 99396 497190 /root/stach+antigl/client/td td 1217 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so td 1217 root mem REG 8,1 4118299 416844 /lib/libc-2.1.2.so td 1217 root 0u raw 2218 00000000:0001->00000000:0000 st=07 td 1217 root 1u CHR 136,1 3 /dev/pts/1 td 1217 root 2u CHR 136,1 3 /dev/pts/1 td 1217 root 3u raw 2083 00000000:0001->00000000:0000 st=07 To locate a Stacheldraht master server on your computer: [root@unix stach+antigl]# lsof -i TCP:60001 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN) [root@unix stach+antigl]# lsof -p 1346 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mserv 1346 root cwd DIR 8,1 4096 497149 /root/stach+antigl mserv 1346 root rtd DIR 8,1 4096 2 / mserv 1346 root txt REG 8,1 1356288 497188 /root/stach+antigl/mserv mserv 1346 root 0u CHR 136,0 2 /dev/pts/0 mserv 1346 root 1u CHR 136,0 2 /dev/pts/0 mserv 1346 root 2u CHR 136,0 2 /dev/pts/0 mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN) For information on locating Trinity or Entitee on your machine, please see the X-Force Alert, "Trinity v3 Distributed Denial of Service tool", at: http://xforce.iss.net/alerts/advise59.php. The ISS X-Force will provide additional functionality to detect these vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure, and System Scanner. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to X-Force, xforce@iss.net of Internet Security Systems, Inc. - - -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOc/mgzRfJiV99eG9AQF33wQArffQtWP7L3peeayo7WwL6Dqrj7lW48VA zNCcUixWIKoBIoh5hty0JGFBUWUL/Cb0Yw3jrYWohwCHenMUvQlHJICrADTSE+Hu 6651ykqbMGS9Og7EL8/FswK0d4nE7HqcvV+AZH37cTXPKiST+feKcbz5S6fJ6W9p hFUVkMCNcY8= =Fbeu - - -----END PGP SIGNATURE----- _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Internet Security Systems (ISS) for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5.2 iQCVAwUBOdO2p7nzJzdsy3QZAQEMNAQA8n4AElQ+bneIL/6VlvW3vR7k4IHHj/v8 5dDvs1P5VhlES3Dxali+s6+UFzsteAOeHsExwYxoGuo8TcqYA2zcVI4PS2+L9eeY mEFqlfdL3tooL4cWJ0MPz5FUZmtyZ2eH6ycuYcq/X6pZksXMZxDuiBEJkrSbiZXo VMh1tOSy8hQ= =mNog -----END PGP SIGNATURE-----